Skip to main content
SpringerLink
Log in

Network Security Alerts Management Architecture for Signature-Based Intrusions Detection Systems within a NAT Environment

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Internet is providing essential communication between an infinite number of people and is being increasingly used as a tool for commerce. At the same time, security is becoming a tremendously important issue to deal with. Different network security solutions exist and contribute to enhanced security. From these solutions, Intrusion detection systems (IDS) have become one of the most common countermeasures for monitoring safety in computer systems and networks. The purpose of IDSs is distinguishing between intruders and normal users. However, IDSs report a massive number of isolated alerts. These isolated alerts represent low-level security-related events. Many of these isolated alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. Another problem is that IDSs cannot work correctly with an environment managed with a NAT technique (Network Address Translation) since the host information (IP address and port number) are affected by the NAT devices. In order to address these limitations, the paper proposes a well-structured model to manage the massive number of isolated alerts and includes the NAT information in the IDS analysis. In fact, our solution permits to determine the real identities of entities implicated in security issues and abstracts the logical relation between alerts in order to support automatic correlation of those alerts involved in the same intrusion and to construct comprehensible attacks scenarios.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  1. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: Ninth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2004)

  2. Morin, B., Me, L., Debar, H., Ducasse, M.: M2D2: a formal data model for IDS alert correlation. Recent advances in intrusion detection (RAID2002). In: Lecture Notes in Computer Science, vol. 2516, pp. 115–137. Springer, Berlin (2002)

  3. Cohen, F.B.: Simulating Cyber Attacks, Defences, and Consequences. The Infosec technical baseline studies, March 1999. http://www.all.net/journal/ntb/simulate/simulate.html (1999)

  4. Senie, D.: Network address translator (NAT)-friendly application design guidelines, RFC 3235

  5. Hain, T.: Architectural Implications of NAT, RFC 2993

  6. Shieh, S.-P., Ho, F.-S., Huang, Y.-L., Luo, J.-N.: Network address translators: effects on security protocols and applications in the TCP/IP stack. IEEE INTERNET COMPUTING. (2000)

  7. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P02). (2002)

  8. Kruegel, C., Valeur, F., Vigna, G.: Intrusion detection and correlation. Advances in information security, vol. 14. Springer, Berlin (2005)

    Google Scholar 

  9. Afonso, J., Monteiro, E., Costa, V.: Development of an integrated solution for intrusion detection: a model based on data correlation. 2006 IEEE. (2006)

  10. Huang, T.-C., Shieh, C.-K., Lai, W.-H., Miao, Y.-B.: Smart tunnel union for NAT traversal. In: Proceedings of the 2005 Fourth IEEE International Symposium on Network Computing and Applications (NCA’05). (2005)

  11. Goto, Y., Suzuki, H., Watanabe, A.: Researches on Extended Dynamic Process Resolution Protocol that Can Traverse NAT. 2007 IEEE. (2007)

  12. RFC 3947 at http://www.ietf.org/rfc/rfc3947.txt

  13. RFC 3948 at http://www.ietf.org/rfc/rfc3948.txt

  14. Curry, D., Debar, H.: Intrusion detection message exchange format data model and extensible markup language (XML) document type definition. Draft-itetf-idwg-idmef-xml-03.txt, Feb 2001

  15. Common Vulnerabilities and Exposures, http://www.cve.mitre.org/about/

  16. Valdes, A., Skinner, K.: Probabilistic alert correlation. Recent advances in intrusion detection (RAID2001). In: Lecture Notes in Computer Science, vol. 2212, pp. 54–68. Springer, Berlin (2001)

  17. Lee, S., Chung, B., Kim, H., Lee, Y., Park, C., Yoon, H.: Real-time analysis of intrusion detection alerts via correlation. J. Comput. Secur. (2005)

  18. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. Recent advances in intrusion detection (RAID2001). In: Lecture Notes in Computer Science, vol. 2212, pp. 85–103. Springer, Berlin (2001)

  19. Browne, H., Arbaugh, W., McHugh, J., Fithen, W.: A trend analysis of exploitations. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 214–29. May (2001)

Download references

Author information

Authors and Affiliations

  1. Digital Security Laboratory, Department of Computer Science and Networks, Higher School of Telecommunications SupCom, Cité El Ghazala, Tunisia

    Meharouech Sourour, Bouhoula Adel & Abbes Tarek

Authors
  1. Meharouech Sourour
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bouhoula Adel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Abbes Tarek
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Meharouech Sourour.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Sourour, M., Adel, B. & Tarek, A. Network Security Alerts Management Architecture for Signature-Based Intrusions Detection Systems within a NAT Environment. J Netw Syst Manage 19, 472–495 (2011). https://doi.org/10.1007/s10922-010-9195-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-010-9195-4

Keywords

Search

Navigation